CVE-2013-7108

EUVD-2013-6894
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:P/I:N/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
Affected Products (NVD)
VendorProductVersion
nagiosnagios
𝑥
≤ 4.0.2
nagiosnagios
3.0
nagiosnagios
3.0:alpha1
nagiosnagios
3.0:alpha2
nagiosnagios
3.0:alpha3
nagiosnagios
3.0:alpha4
nagiosnagios
3.0:alpha5
nagiosnagios
3.0:beta1
nagiosnagios
3.0:beta2
nagiosnagios
3.0:beta3
nagiosnagios
3.0:beta4
nagiosnagios
3.0:beta5
nagiosnagios
3.0:beta6
nagiosnagios
3.0:beta7
nagiosnagios
3.0:rc1
nagiosnagios
3.0:rc2
nagiosnagios
3.0:rc3
nagiosnagios
3.0.1
nagiosnagios
3.0.2
nagiosnagios
3.0.3
nagiosnagios
3.0.4
nagiosnagios
3.0.5
nagiosnagios
3.0.6
nagiosnagios
3.1.0
nagiosnagios
3.1.1
nagiosnagios
3.1.2
nagiosnagios
3.2.0
nagiosnagios
3.2.1
nagiosnagios
3.2.2
nagiosnagios
3.2.3
nagiosnagios
3.3.1
nagiosnagios
3.4.0
nagiosnagios
3.4.1
nagiosnagios
3.4.2
nagiosnagios
3.4.3
nagiosnagios
3.5.1
icingaicinga
𝑥
≤ 1.8.4
icingaicinga
0.8.0
icingaicinga
0.8.1
icingaicinga
0.8.2
icingaicinga
0.8.3
icingaicinga
0.8.4
icingaicinga
1.0
icingaicinga
1.0:rc1
icingaicinga
1.0.1
icingaicinga
1.0.2
icingaicinga
1.0.3
icingaicinga
1.2.0
icingaicinga
1.2.1
icingaicinga
1.3.0
icingaicinga
1.3.1
icingaicinga
1.4.0
icingaicinga
1.4.1
icingaicinga
1.6.0
icingaicinga
1.6.1
icingaicinga
1.6.2
icingaicinga
1.7.0
icingaicinga
1.7.1
icingaicinga
1.7.2
icingaicinga
1.7.3
icingaicinga
1.7.4
icingaicinga
1.8.0
icingaicinga
1.8.1
icingaicinga
1.8.2
icingaicinga
1.8.3
icingaicinga
1.9.0
icingaicinga
1.9.1
icingaicinga
1.9.2
icingaicinga
1.9.3
icingaicinga
1.10.0
icingaicinga
1.10.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
icinga
lucid
dne
precise
ignored
quantal
ignored
raring
ignored
saucy
ignored
trusty
dne
utopic
not-affected
vivid
not-affected
wily
not-affected
xenial
not-affected
yakkety
not-affected
zesty
not-affected
nagios3
lucid
ignored
precise
ignored
quantal
ignored
raring
ignored
saucy
ignored
trusty
Fixed 3.5.1-1ubuntu1.1
released
utopic
ignored
vivid
ignored
wily
ignored
xenial
Fixed 3.5.1.dfsg-2.1ubuntu1.1
released
yakkety
Fixed 3.5.1.dfsg-2.1ubuntu3.1
released
zesty
Fixed 3.5.1.dfsg-2.1ubuntu5
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-updates/2014-01/msg00010.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00028.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00046.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00068.html
http://secunia.com/advisories/55976
http://secunia.com/advisories/56316
http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
http://www.mandriva.com/security/advisories?name=MDVSA-2014:004
http://www.openwall.com/lists/oss-security/2013/12/24/1
http://www.securityfocus.com/bid/64363
https://dev.icinga.org/issues/5251
https://lists.debian.org/debian-lts-announce/2018/12/msg00014.html
https://www.icinga.org/2013/12/17/icinga-security-releases-1-10-2-1-9-4-1-8-5/
http://lists.opensuse.org/opensuse-updates/2014-01/msg00010.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00028.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00046.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00068.html
http://secunia.com/advisories/55976
http://secunia.com/advisories/56316
http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
http://www.mandriva.com/security/advisories?name=MDVSA-2014:004
http://www.openwall.com/lists/oss-security/2013/12/24/1
http://www.securityfocus.com/bid/64363
https://dev.icinga.org/issues/5251
https://lists.debian.org/debian-lts-announce/2018/12/msg00014.html
https://www.icinga.org/2013/12/17/icinga-security-releases-1-10-2-1-9-4-1-8-5/